Andy, I don't think Alan reads this mailing list, but I do.
We have integrated ADFS with the Shibboleth IdP, pretty much in the way that several people have discussed on the list already.
Basic details:
* Shibboleth is set up using Tomcat.
* Apache is installed with Shibboleth SP.
* Apache proxies /idp to Shibboleth IdP via ajp.
* ADFS and the Shibboleth SP are set up with each other's metadata (there's a Python script out there called adfs2fed which makes this easier.)
* Apache is configured to require Shibboleth authentication at /idp/Authn/RemoteUser.
* Shibboleth IdP is configured to use REMOTE_USER for authentication.
* Shibboleth IdP continues to use LDAP to fetch attributes in the normal manner.
There's a few fiddly bits, but it works.
Some things we haven't got working:
* Logout is broken.
* Forced authentication is broken.
On balance though, we're happy with it.
Cheers,
Duncan Sinclair.
--
Duncan Sinclair
Infrastructure Specialist – Systems
Abertay University, Dundee
Tel: 01382 308904
> -----Original Message-----
> From: Discussion list for Shibboleth developments <JISC-
> [log in to unmask]> On Behalf Of Andy Swiffin (Staff)
> Sent: Thursday, March 29, 2018 9:21 AM
> To: [log in to unmask]
> Subject: Re: Shibboleth - External Authentication to AD FS?
>
> I think the discussion about ADFS in a SAML federation was more to do with
> using it instead of using Shibboleth. I would expect most of the issues would
> hang around it's inability to easily consume metadata for a whole host of SPs
> in an automated way. We have the same beef with Azure AD as a SAML IdP
> too. Effectively you have to apply each SPs metadata separately to a non
> gallery application. Fine for a handful of local apps (works well with, for
> example, our own Blackboard and SITS evision which we have authenticating
> there) but I wouldn't want to have to do it for a "federationfull".
>
> Well, we didn't have to do anything to get the Shibboleth IdP to authenticate
> against the Azure AD IdP apart from setup Azure for a new SP. But the SP
> was Overt and they sort out how to bridge _their_ IdPs authentication
> through their SP to us.
>
> I believe Abertay have done this themselves though, Alan (Hellier) are you
> listening to this conversation?
>
> Cheers
> Andy
>
>
> -----Original Message-----
> From: Discussion list for Shibboleth developments [mailto:JISC-
> [log in to unmask]] On Behalf Of Anwar Mahmood
> Sent: 28 March 2018 14:54
> To: [log in to unmask]
> Subject: Re: Shibboleth - External Authentication to AD FS?
>
> [apologies for multiple replies; using the web interface which doesn't show
> previous messages]
>
> With regards to...
>
> However, I think what you are looking for is probably an immediate solution
> utilising ADFS. Peter raised a very good point about ADFS operating in a
> SAML federation, and our findings about ADFS in the UK federation can be
> found here [3], in short it's not suitable and as result we have very low
> numbers of ADFS entities (systems) registered in the UK federation, and one
> possibly or partially operating.
>
> ...yes, I saw those limitations. I have referred my Microsoft Account
> Manager to that page, and asked he refer it to Microsoft's AD FS product
> manager. If I hear anything, I will certainly share here!
>
> With regards to...
>
> "integration with ADFS whether that's SAML or"
>
> ...yes, that's exactly what I had in mind; are there any recipes out there? It's
> easy enough in AD FS; add the relying party using Shibboleth metadata. I
> don't know at the Shibboleth end. It's a little frustrating that there are two
> products, Shibboleth IdP and Shibboleth SP, different version tracks, but
> often online references don't specify which.
>
> Kind regards,
>
> Anwar
>
> The University of Dundee is a registered Scottish Charity, No: SC015096
[Image: Abertay University]
Abertay University is an operating name of the University of Abertay Dundee, a charity registered in Scotland, No. SC016040
Follow us: www.abertay.ac.uk<http://www.abertay.ac.uk> | @AbertayUni<https://twitter.com/AbertayUni> | AbertayLinkedIn<https://www.linkedin.com/edu/school?id=12685> | AbertayFacebook<https://www.facebook.com/AbertayUni>
Any views or opinions expressed in this email and any attachments are solely those of the author and do not necessarily represent those of Abertay University.
This email and any attachments may be confidential and are intended solely for the use of the intended recipient. If you are not the intended recipient, you must take no action based on the email or its attachments, nor must you copy or show them to anyone. Please contact the sender if you believe you have received this email in error.
|